-
Notifications
You must be signed in to change notification settings - Fork 0
fix: sanitize ZIP entry names to prevent path traversal #42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,7 +12,17 @@ public static byte[] CreateZip(IReadOnlyList<PgFile> files) | |
| { | ||
| foreach (var file in files) | ||
| { | ||
| var entry = archive.CreateEntry(file.Name, CompressionLevel.Optimal); | ||
| // Strip any directory components so traversal sequences (e.g. "../../") | ||
| // cannot be embedded as ZIP entry names in produced archives. | ||
| var entryName = Path.GetFileName(file.Name); | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [bug] |
||
| if (string.IsNullOrEmpty(entryName)) | ||
| { | ||
| throw new ArgumentException( | ||
| $"File name '{file.Name}' does not resolve to a valid entry name.", | ||
| nameof(files)); | ||
| } | ||
|
|
||
| var entry = archive.CreateEntry(entryName, CompressionLevel.Optimal); | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: flattening directory components can silently collapse distinct inputs (
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [nit] Flattening directory components can silently collapse distinct inputs (e.g. |
||
| using var entryStream = entry.Open(); | ||
| file.Content.CopyTo(entryStream); | ||
| } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blocking:
Path.GetFileNameis platform-dependent — on non-Windows runtimes it only treats/as a separator, so a Windows-style traversal name like..\..\etc\passwdpasses through UNCHANGED here. Verified on this Linux runtime:Path.GetFileName("..\\..\\etc\\passwd")returns the string unchanged. Because these ZIPs are consumed cross-platform (extracted on Windows, where\IS a separator), the fix does not prevent embedded traversal for backslash sequences when the archive is created on Linux/macOS. Strip BOTH/and\explicitly (split on both separator chars / take the last segment) instead of relying onPath.GetFileName, and add a..\..\-style test case.